NFSv3 and NFSv2 should be disabled. The common reason they are not is people trying to connect Windows machines.

OS X machines support NFSv4 same with most other OS’s out there. Windows is the odd ball out.

NFSv2 and NFSv3 authorises by machine not use. So the machines you authorises have to be fully secure or you have very big spoofing problems.

NFSv4 authorises by user and machine. So unless user you are trying to write to server with has logged in on the machine you are writing from with NFSv4 its not happening.

NFS had its protocol rewritten to kill the problem.

That Exploit Guy NFS 4.1 from 2010 is cluster aware. Something SMB 3.0 is only just getting around to.

The reality here Microsoft is along way behind on implementing NFS.

The most annoying part is NFS 4.1 and 4.0 drivers for windows are open source and were funding for creating by Microsoft.

http://citi.umich.edu/projects/ Yet it don’t ship with windows.

Its just like windows server still containing a telnet server and no ssh server.

That Exploit Guy exactly why should I not be pissed over this. Windows servers shipping out box with out of date NFS servers and clients. There is at least an upto date client MS paid to be made.

A slightly broken NFS 4.x client is better than forcing usage of NFS 3.x and before that is security busted.

Reason why Windows 12 years latter still only being able to provide NFSv3 properly is a problem.

nfs_portmon not required on Linux default NFS servers. Different option to enable the same security feature done in export feature.

–Tell me then, if you don’t have nfs_portmon enabled on your server, and the attacker is not seeking to mount the share in the local filesystem, how is your set-up going to stop him/her from doing anything?–

NFSv4 is stateful. So its not stupid. So disabling NFSv3 and NFSv2 kills you attack even without Kerberos. Since UID and GID don’t travel over the wire with NFSv4.

—rpc.idmapd — This process provides NFSv4 client and server upcalls which map between on-the-wire NFSv4 names (which are strings in the form of user@domain) and local UIDs and GIDs. For idmapd to function with NFSv4, the /etc/idmapd.conf must be configured. This service is required for use with NFSv4.—

Notice something here UID and GID don’t travel over wire with NFSv4. String does. String requiring login to work. That string is checked against GSS Methods. If your machine you are on is not approved its not happening.

GSS Methods can include radius server check.

NfSpy basically does not work at all on NFSv4 That Exploit Guy.

Since UID/GID with NFSv4 don’t exist in the over the wire protocol.

Next is NFSv4 does check if user is logged in and from where. So you cannot use some random UID/GID. You would have to fake a full IP packet with fake source address at min to beat NFSv4 by packet injection. Yes beat the password most likely simpler. krb5i is design to make doing a fully fake packet harder.

NFSv4 removes synced UID/GID between machines. Each machine has its own mapping file from NFS users and groups to local UID/GID numbers. If you are dealing with many locations you can have a many to 1 mapping.

We had DHCP deny IP addresses to unknown machines and we denied WIFI to unauthenticated machines. Visitors were given the key, so there was a weakness but we never had a problem that way. Who cares if a M$-only virus visits when we were running GNU/Linux?

I could also have tightened the firewall on each machine but did not bother. We were solid. Students rarely carried notebook PCs and we did not have any unused RJ-45 jacks… In six months the GNU/Linux system hummed along with zero problems.

‘No Windows computer should EVER be trusted!! PERIOD!’

Is this one of your sales pitches or just an odd habit of yours that causes you to scream nonsense at random? I am confused.

@oiaohm

I think Kerberos had been mentioned in this discussion for quite a while even before you decided to chip in on the matter.

Why not just shut up and let the grown men talk?

@Robert Pogson

Tell me then, if you don’t have nfs_portmon enabled on your server, and the attacker is not seeking to mount the share in the local filesystem, how is your set-up going to stop him/her from doing anything?

What’s more – didn’t you mention you had also installed wifi access points in some of those schools? Tell me, then, how is your server going to deal with a rogue client that has gained access to the network?

What I am afraid is that you simply have no answer to any of these questions, but instead you are simply hoping that “GNU/Linux” is somehow the magic charm that solves all the problems all by themselves. That just doesn’t appear to me to be very enlightened or even very bright.

No, TEG blamed the administrators. And that was absolutely justified.

And, just in case you forgot, blaming the user is a standard modus operandi on Linux discussion boards. The places you go to for support.

http://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-nfs-security.html

Fairly much universal use NFSv4. Using NFSv4 kills the defect.

https://github.com/bonsaiviking/NfSpy

That Exploit Guy if you had read not just goggle you will notice NfSpy is only for NFSv3 and before. The recommendation under Linux is run NFSv4.

There are also 3 NFSv4 Kerberos modes.

–1) krb5 Use Kerberos for authentication only.

2) krb5i Use Kerberos for authentication, and include a has with each transaction to ensure integrity. Traffic can still be intercepted and examined, but modifications to the traffic will be apparent.

3) krb5p Use Kerberos for authentication, and encrypt all traffic between the client and server. This is the most secure, but also incurs the most load.–

Problem here is once you are running in these modes changing the UID and GID on the packet will not work. NFSv4 is design to work in incorrect aligned UID/GID environment. You can only use the UID/GID that that matches your authentication on NFSv4.

NFSv4 was release the year 2000. NFSv4 is stateful. So those dirty tricks of wrong GID/UID don’t work.

That Exploit Guy if you want to know a reason why a Linux server will be running NFSv3 that is a secuirty flaw.

http://social.technet.microsoft.com/Forums/en-US/winserver8gen/thread/6ca3ca0b-6ca2-4521-b225-cdf6e573cfd5

Yep windows 2012 just released for testing 12 years latter still does not support NFSv4 so has people running security flawed NFSv3.

Explains dougman response right.

That Exploit Guy so you are pointing to a windows server weakness not a Linux one. Even better 0 id in MS default NFS server is SYSTEM. Its one reason why its highly stupid to run a Microsoft NFS server from a windows box.

Your problem is you don’t know the topic That Exploit Guy and you don’t read enough.

The ordinary user does not have root access to run that application.

With a client that can spoof UID and GID? I have even linked to one in my previous comment, so what exactly is your excuse?

‘that doesn’t happen on any GNU/Linux system I have seen’

That’s quite a limited subset of what’s really happening in the real world, isn’t it?